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<fc 0 ffi£Shfe«6^*n*»W*WSt*WS# 

twain i ©w£#aie ± DimcFtiisti^flmme 
ms% 2 vmmtz d mmmznmmtmi 

ssft* mztntcM^ tmfu p^lm y* 

h-)WZfrGfrZz-Vfc^&b&m^&b#T 

mass] zmm^-vmmwmwmz 



slant, m%.2nrd§£^ mtfu^hmmt 
^^m^-w^b^m^b^-xmt, 

mm e ] *ottK*-v<&m#M&9m 

mm 1 mqfem^mmmznmmtfwmm 
10 znmmT*$>ztmznrci§&K, wmmzn 

mm 2 oweifi-rtwa? mztiitw&mi'?* 
[0001] 

30 [0 0 0 2] 

[$*©» H©*$m»mis 

F7-7 (LAN) ©gfitfflA,Wfc)ft Mi PC 
^-X©^7^7yb/^-^XTAtf^t, fro 

[0 0 0 3] Sfc, CC3R^O>ry*-*yh-0««W 
± D , n > if a &iX * > F 7 n yx*ffi% 2 
40 nS^D, JyZ-ZyVKmZtiTmZtiZZt 

nfc3Vl£a-#©«tfStT*&<> fl«'03>lia- 

[0 0 0 4] fcfc\ *yh7-^rt©ffi©3yt!a-^ 
£©r-£«i, WlKie©-7jT\ SM*>yb7 
-*fcftAt,fcnyt£a~£ • 7^Xfc:ftLTi®£© 
««©«^«Kft tTV^S c fclcfeftS. ft¥ 5 £ tit 
IWelELfc Tl love y o uj (IE 
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[0005] 

fc&D, ^©^vxfc&ftj&et&^cfc, 

[0 0 0 6] t«:^i:n5<DV7h t >x7m 7- 
b-tz^ ^XrA^'J, ^-r^>3>r-7;k 

HlTfco^r. #£©7^l/XEPfr&3-FfP 

[0007] tciSftMSteSSfcik $-r;i/Xfc* 
©Ht©n-Ff)^£^^ttfcH^£&v^/]/ 

V^fcJO^rt/XttfcSSAA g8n©7^Xt?&oT 20 

[0 0 0 8] Sfe, Mu t a t i on Engine 

tS*6n*V7h«^i7) ©UU-Xttfc 40lfe 
©JBI8© HnfcTffeaftS^JHH!©^ ;PX»D L 
<:©^-r7©7^;l/XK^n§n-Hm 

til • Hgtf HBfcftS. 

[0 0 0 9] *6fc±EV7K«>i7H:feotf5^-f;P 30 

BS^oT^S, fcfcfctf, ^7/P7>y7ft£»c 
^MLTL$?Ac t i veXnyfo-;^, £W7 

[0 0 10] MMiaoTtt, ^©^^©^ 40 
+a y r-f #U i/-K.t>£"3^Xs n-*;l/U V-Xa 
©7^-bX»ILTl^fe©^5o ftfcAtfJ'av 
a©VM±"l?£fT2ftSJava77Wh ( i 77U 

insists**) t-wr^-bxtsct^tft 
[ooii] ztimmt^omfrzit, $mm 

3S**>3.— tfcnfflmokfumrTfrih & ^ ism***;;?., w 



(3) #§§2 0 0 3-6 7 2 1 0 

4 

[0 0 12] tOJSEtt, a— if^S/Xr^fcfcoTfe 
[00 13] 

mmmuc^ mm 1 tiBt©?»M^7 

n 7? A^ff KitMi, *©^ff fca-lf ©ft rT# & 

W£«nfc«^t, MfB7n^ivSM'yxh-/J/fS 
[0 0 14] c©IWtaitel2«©«93l«:J:titf, £5> 

a, -y yx b -MzfriLoxzL-tfKzmmmm 

[0 0 1 5] Sfc, f»^2tfHl©7n^9A^^ 
jkSWJ, *©^Ka-1f©ims«aK«tt*ffi3£ 
7n?7Afr^*$n/c«j£-«* 

[0 0 16] ;:©if^2tiHt©^}i:j:n«\ &5 
tt, j^fc^?Ta-tffc*©l^#*fc2ftSi:fc 

So 

[0 0 17] Sfc, «^3ti3«©7n^Alltfge 

m i mm-m.. mm 1 ©f^^atj: dim 

QKfSSlVCV&frn Ittmstil&feK. MIB7n 
^7A©llff%««K'rS*^%a-1fKKV^t)*5 



5 

[oo 1 9] mmmm<Dfu^ymm 

%*z*mimt, mzmmxmmm-mim 
wmzmmmzztis tmtm^K, mb 

[0020] con^®4 tcta««^tj:n«\ &5 

[0021] *fo mm5K.m<o7u>f7Lmw 
turn*, zmn^-vcomtfmmmmfe 

tSJUTDB^ 7W5Afr6^Sftfe«lll--tf|> 
[0022] c©ff^5£fBt©?»J:nff\ fee. 

So 

[0 0 2 3] $fe, Bl5»B6fcEKO^P^^«ffl» 

Kommt, Mien i ^mxmmmmth 
wrnafc, Mian 2 owsiSTfKMWtftijstifea 

[0 0 2 4] C0!*a6fcB«©B!fifcJ:ft& 7n 
HfWIrSftSo 

[0 0 2 5] Sfc, if^7fciB«©7W72^ M 



(4) #12 0 0 3-6 7 2 1 0 

6 

[0026] c<Dmm7 Ktm^mi^mi, mis 
mm 4 ~n*s e ©^-r n^-3fcBto*i6tf 3 y 

[0 0 2 7] £fc, i^8tfBt©fE^#ii, MIS 
!f^7 KfBt©7n?7A£fE§iLfcc: 

[0028] c©ira8K:|B*©^fcJ:ft& MiB 

[00 2 9] 

[^©m©M MTKmmmmiT, u© 

^fc«k57W5A£fTB&ikm 7W7A£frl8 

[o o 3 o] m nt. mmmmmmiM^u 
20 ^Lmmmmo)^- F7 x tim** tiM? 

g§ 0 ^)0fn*5^T, i o i ttgg^ttfc&jfflrrs c p 
U*, 1 0 2(i»*Atil^7 s n^^lBlibfcROM 
1 0 3fiCPUl 0 1©7-*X'J72:LT$J1£ 

[003 1] £fc, 1 04&CPU1 0 lOWflfcl/fe 
^•oTHD (m-FtVX?) 1 0 SfcfttSr-*© 
V - b ait 5 H D D (a- FrV X? K5 
* 7) 1 0 5 ttH D D 1 0 4 ©«£ Lfetf oT# 

tasnfe7*-**iBiit*HD*, whi^lt^ 

30 5 0 1 0 6 12 C P U 1 0 1 ©»£ Llt&nr F 

D (7nylf- MS® rVX?) 10 7t*hT§ 
r-^©'J-F/7-r b^MfS FDD (7tt-yt£- 
tV X? F5W7) £s 107&FDD106 ©»l 
Lfc^oT«t^Snfcr-^^fB'It§^gfi©F 

d&, wen^i/tv*. 
[0 0 3 2] trc i0 8tt*-y;K ^-a-s 7^ 

SrVx^W^ l o 9ttffi^-7;H l o'fcftL 

40 10 1 fcO>T>5f-7i-XfctT«l&rS*v h7- 

^^y^-7x-x^ ^n^n^LTv^o 

[0 0 3 3] Sfe, 11 » 

©^Kftif^cftov^x^ *n^n^LTi^s. 

Sfe, 1 1 3 tt*KnrilftlBSJi»?a&5 CD-ROM 
1 1 4tiCD-R0Ml 1 3fC^frSr-^©U- 
F«ffefflrrs CD-ROM K9-f 7^*, 1 0 0 tt±IB& 



(5) 
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[0 0 3 4] O^iC, mt&^09ffiDfflSfcfrfr 
*ffflfcJ:37W7£ISf^ihg1Ifc!:, lift 

WEtt (i) Jyfjyt, zx^mmtz&ofc 
(2) SK^^yofcffRreswJSu sufTRpeft 
5«^KSK^5^yic«a«i «-ex) 

5'^yfcJ:Dx 2 0 1 xtt*©*XhfcftS77y* 
[0 0 3 5] 2 00 a«, T^^^^X h-/M 

o-*«*o*^ h tftsr ^y g y ts^-rs 

x-*l$fc, C©75?^tf3II*X h*»6Pftfffit 

mmfy^ytD^yx -ox 
o^tttftecfcScfcte&So 20 

[0 0 3 6] Sfe, 2 00bfififf^©#lttLfc^o 

x, *zbmm%mmm (tct^tyr^m 
774mm, »^Ffm r+xnttfj 

[0 0 3 7] Oft, 2 0 1 a{^7WyOli-I 
ffi^gP2 0 0 afrBa^SftfeSMBHBfclWRLT, 3 
i&77^>©£fTtff$fcH:£fT*KU ^©-T>xh- 
;l/RR5J?«ftm *5^{4«aERTS CKTTfttCftB 
*Sfc»T*fTRR5i:fe^5) ftflfcti-fe+ayr-f 30 

[0 0 3 8] Sfc, 20 1btt-fe*ay^»l»20 

ffiiWtS-b+ayr-f^y^-DB (r-^^-X) ? 
feSo co-fe+aUrY^y^-lctt, (1) 

jgi&RTS) £W£WcJ6©fe©^ (2) 7?^> 
[00 3 9-] JlftWfc^ (1) ©£frtff©-fe* a ijf 40 

yfrzmzhmm-mmzmmtfiiiZftx^ 
5«^t, StS^^yfc^yxh-zi/***^ 

5 &©•?&?>> (2) ©^ffifj©-fe^ayr-f#y^- 
m y^^yfom^ mmmmxh-o 

icftmiKw tf tfjsnfe«^ic, m? y 



#12 0 0 3-6 7 2 1 0 
8 

[0 0 4 0] oft, 2 0 1 ctLfclB-b+ayr^^y 

s^oiamRSsa-^ t>mm% 1 1 tic, «s 
snfeflBR*-fe*a y r^r #y b 2 0 1 b ic«m 
ts-fe*ayr-f*y^-ssaPTf»So 

[0 0 4 1] H 3 tt, •fc*ayr'f*y^-»£952 0 
1 clckVm^tiZ, _fcwe CD (2) ©-b^a'Jr 
-r#y^-© r#^©«^j ^K^t§fcJ6©HM©- 
0&£*tflffiHBI*e&5o 0ffr£W©$^X3 0-Ofc 

it, *x h tftzryv'r-i/ByffwfyyjyK 

[0 0 4 2] fcfcfctffcS*-?-®^^^ * 
X h©«fil««?tfWrc fcT? rgiJ©7n77Atfff$L 

fc7r'-r;i/*insretsj (03#d ^ ^177 

74y<DMTK&?X, S/XrA77-rM>*©ft!©r 
[0 0 4 3] ffc, f=7>?4yft mwufykm 

Tsmzt&x%%\ mt, *xh»jiL4i>sij©7 
ytr^-fex-etsj i^xhyKas/xrAfii 

«mMitf8^£ft'TVS©T?, *XrA£Bfc»S 
ftS* ^7/1/7 y7 , ©S§K5&&g*.&n5, flAHHI 
(#£;U7-K) ;&fiEsnsaif©«»*mL5 

[ 0 0 4 4 ] s fc, rr k ux«fcfiai*nTv^4v^a 
ajbTL*5^«tt*«»*. a»fc, rrFi/xiuca» 

?nT^§t^T©a-iff;:^-;l/^l§ci:^f 

#&t>, mmcmtthrc r 1 1 0 v e y 0 
7 ;i/x©s»«^rr sfe^en^feSo' 

CO 0 4 5] 46, &ftfttt$SSirar?&tl& i25 

f L i 7 F Vxurt ©^a-ifeft < 1 1, ^lt©i:^ 

fe§ ( TMe 1 i s s aj ©cfc5t> «»©5 0ft©7 

Fbx-\ga©«s^i^f sfe©tss) ©1?, eel 

It rt^TJ ©^DC TOA«±J 
[0 0 4 6] 7Fl/X«rt©^a— «ft^-;l/* 

smtsfcf^ (1) 7Y\sxm>t><D*ymyw 
ts (2) jtHtLfe^v/^o^-zwasefcoroo 
wmmfr&mmz, z ttxtmx\ ±mmm 
it r7 f \s7Mfrt>* y*mWLx*-mm l t% 

[0 0 4 7] fe^LHaCffi^Tfftil^fiJOffl*-?* 



(6) 



#12 0 0 3-6 7 2 1 0 
10 
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±fEfr 5 £ 5 LfcfflflW*fr-X*jiH»flt [0 0 5 4] H4fc^r^7o^a-iftf 



[0 0 4 8] 03t*tM«it£±fB©£5&tm -/MifeCftfe'fl^ W^y©^>Xh-;V^* 



y^yr^m, in6*fcfla©7r>r^*B!iMrr*^ & mtii$©^7n^m£n§ < fc5£&3 0 

gtt*<, M^^l^^^77^;P»«^ [0 0 5 6] *lt\ iHWtttlfca^SftfeBIHO^ 

[0 0 4 9] ^LX\ H30£fflO#v*X3 OOfcJII jg»tSo Sfc, ClI? rw*J ##>4 OlWT 
y 3 0 2 fc J; 9 ft$l©#'y ^X 3 0 3 teWHB L £ D 

r*j<o WB?ii±E*f)eoa*fcLT, rrKi/xnte 20 [0057] sfc, H6B:rai;<^ra8vv&t>£» 

»£ftT^St<T©aHfK:><~;l/£g5efcff-e 2 0 1 dfc«fc!)S*£ti5, 7°7^yf!CT«©|i 

cttR£rt««r*a'jf-f#i;j/-DB2 0 1 t>fc» ^H3oiaarflftSLfc«te-e*orx j&ojifjMtea 

[ 0 0 5 0] m 2 km *> > ofric 2 0 1 d imm^m nm.zft% a 

l/v&fcWCfc^ Wa'Jr^fag|52 0 1 atf-fe* [0 0 5 8] ±miTc (1) Otta'JfY*!lJ^li: 

xUty^u^-db 2 o i brt©-fe*aUr-f*u^ ±*^ffffl tfyxh-mmzwmmm) ©st 
-fcfet^t, a-if©5ii!^M^fijsLfc^t, ^^y^g©«fg-»%^-et5 

[o o 5 l] H4tt, HfTRrsrav^*3-&»2 o l dfc ^cfcTMfc^8^Btfc#**TL3:3o *«: 
«fcD«SSh«, ^^^ffMfc*©llfTRrS«» (2) ©•fe^UrY*U^-KJ:D, »T«Tte 

B1-*fe*O^Y7n^oHW*^tWliH'e«*. c H^snfcOfc»8:*«»yi*tfffl*nTV^l^23 

©^7o?fctt, ^^^H^Lfcltl-H^ *»«ff (file fe«l«a-rs <D7«ft « 0 

3.-^H3©BBfeJ&£Lfc Cfcfl|©#y ?X3 0 0 [0 0 5 9] H6®0flm 7 FbXtlF^a-f^ 

^) «6i:-HW*fe©*«**hT^*o ^tTs c© f)\ myy^ymm, m^ru^m.^ 

?y 9 A y\mm% <t a ^ 7 f i/x«ft©£a~^ «t d ±id«ti©^f «-^«s$n, ^t>tf *are*v^ 

^©^-/MaMI ^ 5 >M L ttv*ftv*HI* ihfc 5 ftS c left*. 

feCftStf, ftl-pfeffilt**»H5*»tfa-1ffcR|t3 40 [0 0 6 0]ftfe, 06©^V7n^Cj;§«^^t 

[0 0 5 2] ftfe, 04©^V7n^i^7^W>©^ OSffTtStfC, ^7n*^SftfcfiJI**© 

li (l) Sl^^y©^>XF-;l/*M> fe«fctf/ SfcWUfLfefcttt, r^itj #*:/6 0 l*jfTt* 

(2) m^y^yvmmfcmtzct ztr-c^y^ymm^orc^mu 7?? 

[0 0 5 3] ^LT, -<>Xh-;HtWoSiaBlfa— 9 s § 0 

^ Ri^j ^^^4 0 O^ffTLfcl^ t^fc^l^ [0 0 6 1] feofct), *Wfc*#LTV^V«*Hf 

fcfrfrb B-fi-if mm???* yvmzm l mtz o mi^fy^ yn-mm L%»t» ? 



[0 0 5 5] H5fc^t^7n^ RiV^j « 
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[0 0 6 2] Offfc 2 0 1 e tt^XrAft 

■fe*ay^ffS»2 0 1 aKftLT, 1W> 
[0 0 6 3] £LT±$ (2) ©b+a'JfY* 1 ;^ 

©t fc?*ff wsnsi^, -ratJ-ssKifiW 
Wfc*fisnfcfe©"e*«**icHu ->xf Affile 2 

0 i e{4^ifflffi%^^>K»ft-rs^-fnfroa 

So 

[oo6 4] St, mwmmmmzm^Wi 

-tr*aUr^tag|52 0 1 afr£©^*£W 
feUffRTSWii^fe-eW 2 0 l d fc cfc t) , H 6 fciSLfe 

tic, ^xrA«»§P2 o i eit^mm^fy^y 

[0 0 6 5] o£fc2 0 1 f~2 0 1 lit 

fy^yicMLxmmm w-ex) mm% 
s»e&D, 201 f foyrJimmfrm-v.* 
*»ttt*7r-f/ni*iaAap, 20 1 %\rj7jm\ 
mm-zzmmzyrjmim. 20 1 ha* 

>f > F7£$©^-ex£»r37^ F7M5, 
2 0 1 i ttx^hffl^OU-vfxSSfiWSr+Xh 

x, t-mm?) , BH"ettH*««i»bTv^*. 

[0 0 6 6] Ogfc, H7~H9tt*^OHSSO^J| 

K^^57n^7A^tTg5±^XrAtfelt§, 7n? 
7AHfr KfjhWl©#m*wt7n-^+- h?fc«. 
m&7u9yh (zomtli'fv'fjy) o-fyxb 
-;KD^ih, HSttTW^A (TO ©jgli©*it, 
09^CT©7n?7A (TO oWtiD, *ft 

fcSo 

[0 0 6 7].**, W7~H907n-^+-hfcJ:« 
®a©»^ioT, WaiJf^W^-D B 2 0 

1 bfctt-b4raUr^*US^-R£»2 0 l ct«fcO, 
HfrMfei^fT*©-fe^a U #U *y-mZfr U 

[0 0 6 8] S"fH7fc^ •OXh-;l/©ffi±t«J: 
S7n^AHtTK±©#/Ifi:^v>T^t§o 7v? 
7 > ©«IHBi^» 2 0 0 a ft, S177 ?V y©^ 



(7) #H2 0 0 3-6 7 2 1 0 

12 

tl©-fl£^T3 (Xr-y 7S 7 0 1). 
[0 0 6 9] *X h t%Z>7fV>r-i/3 ±|H- 
yr-f»I» 2 0 1 a-HMWSfcfcfe 
£, -b^a y stf'J B 2 0 1 b rt©-fe^a y r 
* # y s/-*#sa lt, c oT^-f y<D-r y* h -;v 
fc a-lf ©511 [tf if 5 frfcfflS* * (Xr >y 7 S 
7 0 2) o Iftidi, H^snfcHi*li:»6frUft 

io nr^nffliBR ^nr^ftithtfais^ifct 

So 

[0 0 7 0] ^LT, a-lfOBtBtf&g-fffcntf (X 
r>y 7S 7 0 2 : Y e s) , jUffRRSrav^e* 2 0 
ldfcJ:DH4fcSLfcJ;5ft^7ny*«^L (X 

T7^s 703), nm>?47u>rt r«i\j my 

4 0 oaWFSftfefctH: (Xr-y7S 7 0 4 : Y e 
s) , *6fcH5fcjSLfc<fc5ft^7P7*^*S 

(Xr>y7S 70 5). aK^^yo-rv 
Xh-/l/£ffifffi?)33<:&o? (Xr-y7S 7 0 6), 
20 *7n-^^-hKJ:5^^iK7-r5 0 

[0 0 7 1] 04O^7n^ rw*j 

>4 o imytntctm (xr-y 7s 7 0 4 : n 

0) , -<yxh-;V**c45fW>Dfc, 4>ZY~>\/ 

mtLkmtv^Jitm.LT afyfs 1 0 
7) , *7u-?*-v\o:z>mmjtz> 0 

[0 0 7 2] "Dgtcmtifft. ga©*±t j;§7n 

fc, *0«&-IHl3»2 0 0 atiD, ffiffl«?SL 
30 T^5«H©-*£itj*t5 (Xr>y^S 8 0 1)'.* 
XhT1i^©-lr^ayT^ta§P2 0 1 afc±D, CO 

(Xr>y7S 8 0 2) . 
[00 7 3] HfMtcB. -TyXh- /PRt©05©^ 
7n^' (07©Xr>y7S 7 0 5) T\ ^&iltutfe|| 

rf § (Xr>y7S 8 0 2 : Y e s) . *l/T*ffRlS 
40 Wl^4>«»2 0 1 dfcfl^LT, 04fc^L/cck5* 
■aWn^sa^S-e* (Xr>y7S 8 0 3) . 

[0074] coMTutrv ravj 4 0 o# 

ffT^nSi: (Xr-y 7S 8 0 4 : Ye s) , 

ymm^mmh cxr-y7s 8 0 5) , r^^^j 

f^y 4 0 1 tfffTSftSfc (Xr>y7s 8 0 4 : N 

o) , 77?jy<Dmh%*±Lrcm*v-k-*jm 

(Xr-y7S 8 0 6) Lfeft, *7o-^-Mcj; 
[0 0 7 5] o€fcH9£^"r, HCT»ftJ;§7n^ 



(8) 
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t&¥tfffiUI52 0 0bfra, ^©*Xhfcft£77y^ 

-y g yicttbmmm m im (xr^s 

9 0 1), $/XrAfi«952 0 1 ettWayf-fli 
352 0 1 aKS^br; S®»fiK)^-^0«ga<^ 
fil/T fe J: VfeOf* « *♦ H 5 (Xf 7 

7S 9 0 2) o 

[0 0 7 6] Way f^*S*2 0 1 a«, MSgftfig 

*«WBJ:tf/Sfcttj®&itW) fc©S2nf«fcfi& 10 
SS^ta-lfoStg^jgSlfcKI^L (Xfy^S 9 0 

2 : Ye s) , mnm^£b#$2 0 1 dfcft^L 
T, H6fc^tfeJ;5a^7n^*^$-&S (Xf 
>y7S 9 0 3) o 

[0 0 7 7] £LT, Z<D?J7u9-e Hj 
6 0 0tf#T2ft5fc (Xr-y7S904 : Yes) If 

**OSSMIb (Xf>y/S 9 0 5), rtfiihj 
>6 0 l3WF*n«fc (Xr>y7S90 4 : No, X 
r>y 7S 9 0 6 : Y e s) , zm&T'fy 94 y<D% 20 

t%> (Xr-y7S 9 0 7) o 

[007 8] $fc, r7^>Xh-;l/J #$r>6 0 2 
jWFFStiSfc (Xr-y^S 9 0 6 : No) , WCfy 
sfJyZ7yJyZh-)l< (Xr-y7S 9 0 8) Lfc 
& *7n-**-hfcJ:44B8i**7t*. 

[0 0 7 9] ±aLfe^S!l©^Sn»tia.-1fOS 

te«5^i;»ii£Lfc«e^snTv^^^ fee 30 

[0 0 8 0] ffc, ±$Lfcilffi©ffi»tt7n?7.k 

SSfecaofctf (03) , fc5WJ7W5.kerfcfc 
StStS^ta:v^»S-pt5J:5K:tTfe<J:^ fc 
fc*fcf-0© P C Wt-fffl Ltl/^fp, {&©{£ 

jvttz) mmmxtmztmi,^?^ m 40 

mfy 94 yiM yx h -;l>*h* 5. £4? fc i: *fc 
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- (57)Abstract: 

{PROBLEM TO BE SOLVED: To prevent the 
execution of a program dangerous to a user and 
a system, such as a virus infected program and 
. a maliciously created program. 
I SOLUTION: Prior to installation or starting up 
[ of a plug-in, a function list showing unit 200a 
I thereof shows to an application to be a host a 
| list of functions (services) to be used by 
{ acquiring from the host. When a dangerous 
i function (erasing a file, etc.), specified in 
] advance in the list is included, a security 
I management unit 201a of the host asks the user 
'whether or not to still continue the 
installation/starting-up by an execution inquiry 
unit 201d. Also, during a plug-in execution, whether or not to continue the execution of 
the plug-in is inquired at any time when an actually requested function is not shown in 
the above list. 
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DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] This invention relates to the recording medium which recorded 
the program which makes a computer perform the program execution arrester which 
prevents beforehand execution of a program dangerous for a user or a system, a 
program execution prevention method, and its method, and its program and in which 
computer reading is possible. 
[0002] 

[Description of the Prior Art]Although maintenance of the network (LAN) which 
connects the computer of the premises mutually from early was progressing in 
large-scale organisms, such as a company and a university, Since the client/server 
system of a PC base can introduce easily and cheaply, also at small and medium-sized 
enterprises, an individual home, etc., the network of two or more of the computers to 
hold is progressing quickly in recent years. 

[0003]The computer has become rather more common [ being used accessing the 
Internet ] rather than being used by a stand-alone by explosive expansion of the 
Internet for the past several years. Connection also becomes less new and not only the 
number of the computer connected to the Internet but the connect time of each 
computer is always in the tendency which increases increasingly these days. 
[0004] However, the data exchange with other computers in a network is one side of the 
convenience, and is also providing the opportunity of capital growth to the computer 
virus which invaded into the network concerned. The "I love you" virus (correctly worm) 
which spread in May, last year all over the world spreads, while winking through the 
e-mail system of the Internet, and the total amount of the material and immaterial 
damage which this generated measures, and is not found. 
[0005] 

[Problem(s) to be Solved by the Invention]And in order to avoid generating of the 
damage caused by such a virus beforehand, the software for virus detection and 
extermination is also marketed, but. The detection and extermination by this were 
surely "followed" on the principle, and there were problems, such as that it cannot 
respond and becoming a "pinching game" with a new type of virus which it is developed 
one after another and made skillful, in a strange virus. 

[0006]In such software, namely, a boot sector, a system memory, A partition table, a file, 



etc. check the existence of a code group (pattern) peculiar to a specific virus about all the 
possible places of a viral infection, and a virus is specified from the discovered code 
group. 

[0007]The virus which is not all over the table which matched a virus and its peculiar 
code group since it is such a principle, For example, even if it is a known virus as well as 
the strange virus which is not discovered and analyzed once until now, when the user 
has neglected renewal of a table, it cannot detect and exterminate. 
[0008]Although the pleiomorphia type virus which gets used even to which of the gestalt 
of 4 billion is increasing since the release of Mutation Engine (software with which a 
simple virus is easily changed into the maker of a virus by the pleiomorphia type), Since 
the code group contained in this type of virus is changing from the original thing, the 
detection and extermination by the above-mentioned technique become difficult. 
[0009]Furthermore, the above-mentioned software is a thing aiming at detection and 
extermination of a virus chiefly, In that a damage is given, it has the essential problem 
that a program with a certain bad faith without a virus and great difference is 
undistinguishable from the program which is not so in the user or the system. For 
example, unless all ActiveX controls which change a dialup place freely, and programs 
prepared in order to automate setting out and change of a dialup place are infected with 
the virus, execution will be permitted similarly. 

[0010]There are some which have restricted access to a local resource based on the 
security policy for every environment of that depending on this point environment. For 
example, the Java applets (i application etc.) performed on VM of Java cannot access 
the files (for example, telephone directory etc.) on the computer which operates at all. 
[OOlljFrom a viewpoint of safety, this is a very powerful and positive defense method, 
but on the other hand it serves as big obstacle and restriction in development of 
practical application, and there is a problem that the convenience of a developer or a 
user is spoiled. 

[0012JA program with this invention dangerous for a user or a system, or a program 
execution arrester which can prevent execution of that problem portion beforehand at 
least, It aims at providing the recording medium which recorded the program which 
makes a computer perform a program execution prevention method and its method, and 
its program and in which computer reading is possible. 
[0013] 

[Means for Solving the Problem] In order to solve a technical problem mentioned above 
and to attain the purpose, a program execution arrester concerning the invention 
according to claim 1 is provided with the following. 



A setting means to which a user's permission specifies a required function as the 
execution. 

A judging means which judges whether a function specified by said setting means in a 
functional listing shown from a program is included. 

An inquiring means which asks a user whether install said program when judged with 
said specified function being included by said judging means in said functional listing. 

[00 14] According to this invention according to claim 1, about a program which performs 

processing specified beforehand, while being warned to a user of that fact in advance of 

installation, when a user points, the installation concerned is stopped. 

[0015]The program execution arrester according to claim 2 is provided with the 

following. 

A setting means to which a user's permission specifies a required function as the 
execution. 

A judging means which judges whether a function specified by said setting means in a 
functional hsting shown from a program is included. 

An inquiring means which asks a user whether start said program when judged with 
said specified function being included by said judging means in said functional listing. 

[00 16] According to this invention according to claim 2, about a program which performs 
processing specified beforehand, while being warned to a user of that fact in advance of 
starting, when a user points, the starting concerned is stopped. 

[0017]The program execution arrester according to claim 3 is provided with the 
following. 

A setting means to which a user's permission specifies a required function as the 
execution. 

The 1st judging means that judges whether a function called from a program is a 
function specified by said setting means. 

The 2nd judging means that judges whether it was contained in a functional listing 
shown said called function from said program when judged with said called function 
being said specified function by said 1st judging means, An inquiring means which asks 
a user whether continue execution of said program when judged with not having been 
contained in a functional listing shown said called function from said program by said 
2nd judging means. 

[00 18] According to this invention according to claim 3, when a different function from 



having been beforehand shown during execution of a program is called, while being 
warned to a user of that fact, when a user points, execution of the program concerned is 
interrupted. 

[0019]The program execution prevention method according to claim 4, A determination 
process which judges whether a function specified at said specification process is 
included in a specification process to which a user's permission specifies a required 
function as the execution, and a functional listing shown from a program, When judged 
with said specified function being included in said functional listing by said 
determination process, an inquiry process of asking a user whether install said program 
was included. 

[0020]According to this invention according to claim 4, about a program which performs 
processing specified beforehand, while being warned to a user of that fact in advance of 
installation, when a user points, the installation concerned is stopped. 
[0021]The program execution prevention method according to claim 5, A determination 
process which judges whether a function specified at said specification process is 
included in a specification process to which a user's permission specifies a required 
function as the execution, and a functional listing shown from a program, When judged 
with said specified function being included in said functional listing by said 
determination process, an inquiry process of asking a user whether start said program 
was included. 

[0022]According to this invention according to claim 5, about a program which performs 
processing specified beforehand, while being warned to a user of that fact in advance of 
starting, when a user points, the starting concerned is stopped. 

[0023]The program execution prevention method according to claim 6, A specification 
process to which a user's permission specifies a required function as the execution, and 
the 1st determination process that judges whether a function called from a program is a 
function specified at said specification process, The 2nd determination process that 
judges whether it was contained in a functional listing shown said called function from 
said program when judged with said called function being said specified function by said 
1st determination process, When it judged that it was not contained by said called 
function in a functional listing shown from said program by said 2nd determination 
process, an inquiry process of asking a user whether continue execution of said program 
was included. 

[0024]According to this invention according to claim 6, when a different function from 
having been beforehand shown during execution of a program is called, while being 
warned to a user of that fact, when a user points, execution of the program concerned is 



interrupted. 

[0025]The program according to claim 7 is characterized by being a program which 
makes a computer perform a method of any one statement of said claim 4 - claim 6. 
[0026]According to this invention according to claim 7, a method of any one statement of 
said claim 4 - claim 6 is read by computer, and is performed. 

[0027]The recording medium according to claim 8 recorded said program according to 
claim 7. 

[0028]According to this invention according to claim 8, said method according to claim 7 

is read by computer, and is performed. 

[0029] 

[Embodiment of the Invention] With reference to an accompanying drawing, the suitable 
embodiment of the recording medium which recorded the program which makes a 
computer perform the program execution arrester by this invention, a program 
execution prevention method, and its method, and its program and in which computer 
reading is possible is described in detail below. 

[0030] Drawing 1 is an explanatory view showing the hardware constitutions of the 
program execution arrester concerning an embodiment of the invention. In the figure, 
RAM for which 103 are used as a work area of CPU101 in ROM 102 remembered the 
intercalation output program to be for CPU by which 101 controls the whole device is 
shown, respectively. 

[0031]HD which memorizes the data in which HDD (hard disk drive) by which 104 
controls the read/write of the data to HD(hard disk) 105 according to control of CPU101 
was written in 105 according to control of HDD104 is shown, respectively. 106 FDD 
(floppy disk drive) which controls the read/write of the data to FD(floppy (registered 
trademark) disk) 107 according to control of CPU101, 107 shows FD which can be 
detached and attached and which memorizes the data written in according to control of 
FDD 106, respectively. 

[0032]The display on which 108 displays various data, such as cursor, a menu, a window 
or a character, and a picture, It is connected to a network via the telecommunication 
cable 110, and 109 shows the network interface which function's as an interface of the 
network concerned and CPU101, respectively. 

[0033]The mouse in which 112 performs the keyboard with which 111 was provided with 
two or more keys for inputs, such as a character, a numerical value, and various 
directions, for selection of various directions, execution and selection of a processing 
object, movement of cursor, etc. is shown, respectively. A bus or a cable for 100 to 
connect each part of the above for the CD-ROM drive with which 114 control the lead of 



data [ as opposed to CD-R0M113 for CD-ROM whose 113 is a removable recording 
medium ] is shown, respectively. 

[0034]Next, drawing 2 is an explanatory view showing functionally the composition of 
the program execution arrester concerning an embodiment of the invention. The 
program execution arrester by this invention specifically (1) plug-in, it explains below - 
as - (2) -- the execution propriety of the plug-in concerned is judged, and when 
execution is good, it realizes more, without the application (application which serves as 
a host) which provides the plug-in concerned with a various function (service). And the 
inside 200x of drawing 2 is a function part realized with plug-in by the application with 
which 20 lx becomes the host, respectively. 

[0035] 200a is a functional listing presentation part which shows the application which 
serves as the host the list of the functions which the plug-in concerned uses just before 
installation of plug-in, or starting. Or at the time of a handshake with a host, the list of 
the functions in which it is planned that this plug-in calls from the host concerned is 
shown, but it is good. Actually, the installer of the plug-in concerned will perform 
functional presentation before installation, and the main part of the plug-in concerned 
will perform functional presentation before starting after installation. 
[0036] 200b is a function call part in which call various functions (for example, services, 
such as file reading, file deletion, window generation, and a text output) which a host 
provides according to a predetermined procedure, and processing by each function is 
made to perform. 

[0037]Next, 201a refers to the functional listing shown from the functional listing 
presentation part 200a of plug-in, It is a security management department which judges 
the installation propriety and starting propriety, or continuation propriety (these are 
also collectively called execution propriety below) before execution of the plug-in 
concerned, or during execution. 

[0038]201b is the security policy DB (database) used as the foundation of the judgment 
by the security management department 201a which stores a security policy. There are 
a thing for judging that execution propriety (installation propriety or starting propriety) 
before execution of (1) plug-in and a thing for judging that execution propriety 
(continuation propriety) during execution of (2) plug-in in this security policy. 
[0039] Specifically with the security policy before execution of (1). "when the specific 
function is included in the functional listing shown from the plug-in concerned before 
execution of plug-in, Say whether install the plug-in concerned and that it asks a user 
whether start or not", and with the security policy under execution of (2). "When the 
function which is not into the functional listing which is the above-mentioned specific 



function during execution of plug-in, and was shown before execution from the plug-in 
concerned is called, it asks a user whether continue execution of the plug-in concerned." 
[0040]Next, 201c is a security policy set part which stores the set-up information in 
security policy DB201b while receiving the detailed setting of the above-mentioned 
security policy from a user. 

[0041] Drawing 3 is an explanatory view which is displayed by the security policy set 
part 201c and in which showing an example of the screen for setting up "the specific 
function" of the security policy of the above (1) and (2). What has a possibility of giving a 
damage to a user and a system among the functions with which the application which 
serves as a host provides the plug-in in the box 300 of the left-hand side in a figure is 
enumerated. 

[0042]For example, as for a "deleting file which another program created" (refer to 
drawing 3) -bv calling host's function case, a system file and other data files may be 
deleted without a user's permission by execution of the plug-in concerned. [ plug-in of a 
certain mailer ] This may cause the serious situations -- all of the abnormalities and 
destruction of a system, and mail have been erased. 

[0043] If another program in which a host does not have a concern will be started when 
plug-in "can call another program", there is no telling what kind of destructive action 
the program carries out henceforth. Since system information and personal information 
are stored in registry when "registry can be accessed", damage - the personal 
information (especially password) which can change the connection destination of the 
dialup which has a system destroyed is stolen - may occur. 

[0044]Also when "e-mail can be sent to the user who is not registered into an address 
book", the personal information of users including a mail address may flow into a 
strange partner. On the contrary, also when "e-mail can be sent to all the users 
registered into the address book", there is a possibility that the damage of a virus may 
be continuously expanded from an acquaintance to an acquaintance so that the example 
of "I love you" which was much in fashion in the spring of last year may show. 
[0045]in addition - if transmission destinations are a large number to some extent, they 
are that which has the same danger even if it is not necessarily All Users in an address 
book (there are some which send a self duplicate to the first address of 50 affairs like 
"Melissa") -- here - "all" - it may be "more than O people" etc. instead. 
[0046]transmitting e-mail to All Users in an address book, (1) Since it can also regard as 
the combination of two functions of listing of Memba from an address book, and 
transmission of the mail to Memba which carried out (2) listings, the above-mentioned 
expression can also be put in another way as "Memba can be enumerated from an 



address book and e-mail can be transmitted" etc. 

[0047]however, a known partner -- be -- a strange partner -- be - the text and 
transmission destination being shown to a user and in advance of transmission of e-mail, 
And since it will be thought that there is no danger if transmitted in the state as it is 
(namely, ** to which neither alteration of the text nor attachment of a new file is 
performed), it may be made to except such an exceptional case from the above in detail 
more finely. 

[0048]Many functions shown in drawing 3 may not be accompanied by the always above 
danger, and it may be indispensable on the purpose of the plug-in to use the function 
concerned. If it refers to the purpose of plug-in, a user may be able to judge the existence 
of danger separately. For example, if it is plug-in only for only displaying the graphics 
file of a certain form, when it is not necessary to delete other files clearly and the plug-in 
concerned is calling the function of file deletion temporarily, a possibility of being 
infected with a certain virus is high. 

[0049]Then, among the functions to enumerate in the box 300 on the left-hand side of 
drawing 3 . it is dangerous and the check extracts especially only what necessity and a 
user consider in the right-hand side box 303 with the right arrow button 301 and the 
left arrow button 302 a priori. As the above-mentioned specific function, the figure is the 
example which specified "e-mail can be sent to all the users registered into the address 
book." If OK button 304 is pushed in this state, the security policy set part 201c stores a 
setting detail in security policy DB201b. 

[0050]It returns to drawing 2 . and next, it is an execution propriety inquiry part, and 
201 d displays the dialog for obtaining the check, when the security management 
department 201a judges with a user's check being required based on the security policy 
in security policy DB201b. 

r0051] Drawing 4 i s an explanatory view showing an example of the dialog for checking 
the execution propriety before plug-in execution displayed by the execution propriety 
inquiry part 20 Id. The function (it extracted from the left-hand side box 300 in the 
right-hand side box 303, but is good) and match which the user specified on the screen of 
drawing 3 are shown in this dialog among the functional listing which plug-in presented. 
And processing which is called the transmitting mail to All Users in an address book 
and which cannot necessarily be said as safety is performed so that this plug-in may be 
illustrated, but the user is asked about whether it is still used. 

[0052]in addition - although the dialog of drawing 4 may be displayed any time as long 
as it is before execution of plug-in - realistic - (1) - just before installation of the 
plug-in concerned, and/or (2) - it will display just before starting of the plug-in 



concerned. 

[0053]And when a user pushes the "yes" button 400 by the check in front of installation 
(i.e., when a user permits use of the plug-in concerned in spite of warning). The 
execution propriety inquiry part 201d displays a dialog as further shown in drawing 5, 
and after making it set up whether the check again same also just before starting of 
plug-in is performed, it installs the plug-in concerned. 

[0054] When a user pushes the "no" button 401 in the dialog shown in drawing 4 , 
installation displays the message of "having stopped installation of plug-in", without 
carrying out. 

[0055]When the "yes" button 500 is pushed in the dialog shown in drawing 5 (i.e.. when 
set up also check just before starting), whenever plug-in installed after this is called by 
that host, the same dialog as drawing 4 comes to be displayed. 

[0056]And when the "yes" button 400 is pushed in the dialog of the figure displayed just 
before starting, the plug-in concerned is started, without displaying the dialog of 
drawing 5 . If the "no" button 401 is pushed here, starting of plug-in will not be 
performed but will display the message of "were not able to start plug-in" instead. 
[0057]Drawjng_6_is an explanatory view showing an example of the dialog for checking 
the execution propriety during plug-in execution similarly displayed by the execution 
propriety inquiry part 201d. This dialog is displayed at any time, when the function 
which is not into the functional listing which is the function which the user specified on 
the screen of drawing 3 during execution of plug-in, and was shown before execution is 
called. 

[0058]Only by the check before the execution by the security policy of (1) mentioned 
above (just before installation or starting), when plug-in is infected with the virus which 
can present the functional listing of camouflage, surveillance will be able to be easily 
escaped by not notifying a dangerous function. Then, also while performing whether the 
function which differs from having been shown before execution by the above-mentioned 
(2) security policy is called, it monitors continuously. 

[0059]In the example of drawing 6 , although the transmitting mail to All Users in an 
address book was not notified a priori, execution of the above-mentioned function will be 
suspended by the display of the above-mentioned dialog during execution of the plug-in 
concerned temporarily, and, so to speak, it will be stopped at the water's edge. 
[0060]The user who received the warning by the dialog of drawing 6 can perform 
processing shown in the dialog as it is by carrying out the depression of the 
"continuation" button 600, if it judges that it is satisfactory. When it judges that there is 
a certain danger, execution of this plug-in can once be interrupted for carrying out the 



depression of the "stop" button 601, and the measures against reconfirming the source 
of plug-in etc. can be taken. 

[0061]But if it is planned to say that no doubtful plug-in which calls the function which 
has not been notified a priori is used, the plug-in concerned is uninstallable from 
directly the dialog of the figure by carrying out the depression of the "uninstallation" 
button 602. 

[0062]If it returns to drawing 2 , then 201e is a system-protection part and the call of one 
of functions is received from the function call part 200b during execution of plug-in, It is 
asked to the security management department 201a whether the function concerned is 
what execution is permitted without an user validation. 

[0063]And when execution is permitted under the above-mentioned (2) security policy 
(i.e., when the function concerned is notified a priori), it points to the system-protection 
part 201e to one which provides plug-in with the function concerned of function parts 
(after-mentioned), and it makes the demanded processing perform. 
[0064] When execution of the function concerned is not permitted (i.e., when the function 
concerned is not what was notified a priori), a dialog as shown in drawing 6 is displayed 
by the execution propriety inquiry part 20 Id which received the directions from the 
security management department 201a. And when "continuation" button 600 is pushed 
in this dialog as mentioned above, it points to the system-protection part 20 le to one 
which provides plug-in with the above-mentioned function of function parts 
(after-mentioned), and it makes the demanded processing perform. 
[0065]It returns to drawing 2 and then 201f-201i are function parts which provide 
various kinds of functions (service) to plug-in, The file reading part which provides 201 f 
of services of file reading, The file deletion part which provides 201 g of service of file 
deletion, the window generation part which provides 201 h of services of window 
generation, and 201i are text outputting parts which provide service of a text output. 
Although many functions provided exist besides what was hung up above, the graphic 
display is omitted in the figure (for example, registry access, transmitting mail, etc.). 
[0066]Next, drawing 7 - drawing 9 are flow charts in the program execution prevention 
system concerning an embodiment of the invention which show the procedure of a 
program execution preventing process. Drawing 7 p revents the stop of installation of a 
program (in this case, plug-in), drawing 8 p revents the stop of starting of a program (the 
left), and drawing 9 p revents execution of a program respectively dangerous as a result 
by discontinuation of the program (the left) under execution. 

[0067]In advance of the start of processing by the flow chart of the 7- drawing 9 , the 
security policy before execution and under execution shall be beforehand set as security 



policy DB201b by the security policy set part 201c. 

[0068]The procedure of the prevention from program execution by the stop of 
installation first shown in drawing 7 i s explained. The functional listing presentation 
part 200a of plug-in presents the list of the functions which the plug-in concerned calls 
and uses in advance of installation of the plug-in concerned to the application which 
serves as the host (Step S701). 

[0069]It is judged whether the application which serves as a host needs an user 
validation for installation of this plug-in with reference to the security policy in security 
policy DB201b while receiving the above-mentioned list in that security management 
department 201a (Step S702). if it confirms whether the function specified beforehand is 
included and is specifically contained during the shown list - a check important point - 
if not contained - a check - suppose that it is unnecessary. 

[0070]And if the user validation is required (Step S702: Yes), A dialog as shown in 
drawing 4 b y the execution propriety inquiry part 201d is displayed (Step S703), and 
when the "yes" button 400 is pushed in the dialog of the figure, (Step S704:Yes) and a 
dialog as further shown in drawing 5 are displayed (Step S705). Then, it carries out 
usually through installation of the plug-in concerned (Step S706), and processing by 
this flow chart is ended. 

[0071]Instead of performing (Step S704:No) and installation, when the "no" button 401 
is pushed in the dialog of drawing 4 . the message of the purport that installation was 
stopped is displayed (Step S707), and processing by this flow chart is ended. 
[0072]The procedure of the prevention from program execution by motive stop shown in 
drawing 8 below is explained. If plug-in is called from the application which serves as 
the host, the functional listing presentation part 200a will show the list of functions 
which is planning use (Step S801). In a host, it is judged by that security management 
department 201a whether an user validation is required in advance of starting of this 
plug-in (Step S802). 

[0073]It is specifically a dialog (Step S705 of drawing 7) of drawing 5 at the time of 
installation, It is a case where it is set up also check again just before starting, and 
when the function beforehand specified in the functional listing shown above is included, 
it judges with an user validation being required (Step S802: Yes). And it points in the 
execution propriety inquiry part 20 Id, and a dialog as shown in drawing 4 is displayed 
(Step S803). 

[0074]If the "yes" button 400 is pushed in this dialog (Step S804: Yes), If it starts usually 
through plug-in (Step S805) and the "no" button 401 is pushed (Step S804: No), after 
displaying the message of the purport that starting of plug-in was stopped (Step S806), 



processing by this flow chart is ended. 

[0075]The procedure of the prevention from program execution by execution 
discontinuation shown in drawing 9 b elow is explained. The system-protection part 
20 le points that there is a call of a function from the function call part 200b of plug-in to 
the application which serves as the host in the security management department 201a 
(Step S901), It is made to judge whether the function concerned is what may be 
performed without an user validation (Step S902). 

[0076]The security management department 201a is a function in which the function 
concerned was beforehand specified by the security policy set part 201c, And when it 
differs from the function shown before execution (just before installation and/or 
starting), it judges with a user's check being required (Step S902: Yes), and it points in 
the execution propriety inquiry part 201d, and a dialog as shown in drawing 6 is 
displayed (Step S903). 

[0077]. And perform processing called when "continuation" button 600 was pushed in 
this dialog (Step S904: Yes). Namely, execution of plug-in is continued as it is (Step 
S905), If the "stop" button 601 is pushed (Step S904: No, step S906:Yes), while 
interrupting execution of plug-in at the time, the fact will be displayed by a message 
(Step S907). 

[0078]If "uninstallation" button 602 is pushed (Step S906: No), after uninstalling the 
plug-in concerned (Step S908), processing by this flow chart will be ended. 
[0079]Although it waited for a user's directions and an installation stop, a starting stop, 
or execution discontinuation was performed in the embodiment mentioned above, Or 
when the function beforehand specified in the shown functional listing is included, or 
when the function which is not into the functional listing shown beforehand is called, it 
does not wait for a user's directions but may be made to perform a stop and 
discontinuation compulsorily. 

[0080]Although checking to a user by the functional unit which a program uses set up 
whether would lend and there would be in the embodiment mentioned above (drawing 
3), checking for every program may enable it to set up whether lends and there is. For 
example, when one PC is being used by two or more persons, so that dangerous plug-in 
(plug-in etc. which is not certain as for a source) may not be easily introduced by other 
users, The management representative specifies plug-in beforehand, and when the 
other plug-in becomes installed, it may be made to display warning like drawing 4 . 
[0081]The program which realizes each above-mentioned function part can be stored in 
various recording media, such as FD107 besides HD105, CD-ROM113, or MO, and can 
be distributed with the recording medium concerned. Distributing via a network is also 



possible. 

[0082]The security management department 201a shown in drawing 2 i s equivalent to 
the "judging means", the "1st judging means", and the "2nd judging means" which are 
said to a claim, and the processing to perform is equivalent to the "determination 
process", the "1st determination process", and the "2nd determination process" which 
are said to a claim so that clearly also from the above-mentioned explanation. 
[0083]The processing to perform is equivalent to the "setting means" which the security 
policy set part 201c says to a claim at the "specification process" said to a claim. The 
processing to perform is equivalent to the "inquiring means" which the execution 
propriety inquiry part 201d says to a claim at the "inquiry process" said to a claim. 
[0084]As explained above, when the function in which there is a possibility of giving a 
damage to a user and a system is included in plug-in according to the embodiment of the 
invention, Since installation and starting of the plug-in concerned are refused according 
to a user's judgment, the damage which may be produced as a result of performing the 
plug-in concerned is beforehand avoidable. 

[0085]Without trusting easily the functional listing shown before execution, since the 
credibility is continuously monitored also during execution, plug-in which it tries to call 
secretly while performing the dangerous function which has not been notified a priori 
can be stopped, just before the function concerned is called. The effect brought about by 
this is the same as that of the above. 

[0086]And regardless of whether this invention is the program created with whether it 
is the program infected with the virus on the principle, and a certain bad faith, Since 
the execution can be prevented if operation dangerous for a user or a system is carried 
out, the usual program which was difficult for indication, and a program with the bad 
faith which distinction does not attach are also easily detectable by conventional 
technology. . 

[0087]Even if it is the pleiomorphia type virus which is increasing in recent years, as 
long as the processing made into the purpose is the same, it has the feature that it is 
detectable irrespective of the difference in an external code. And the work which does 
not need to prepare the virus definition file (it is called a pattern file, a DAT file, etc.) 
which covered the code group of all the viruses, and updates the file concerned 
frequently for the detection is also unnecessary. 

[0088] Since this invention prevents execution of a program by very simple judgment 
[ say / whether a thing dangerous in the function which is due to be called as mentioned 
above is contained or the actually called function was notified a priori ], There is also a 
realistic merit that it is enforced strictly reasonable every day and effectiveness can be 



planned without requiring a long time like the conventional virus scan. 
[0089]Since the function which can be used like Java of conventional technology is not 
restricted uniformly, the flexibility of a program is able to aim at coexistence of increase, 
safety, and convenience. 

[0090]Especially in the embodiment mentioned above, execution propriety was judged 
about plug-in in the application which serves as the host in the program, and it is also 
possible to apply this invention, for example to the relation between a broad view and 
the application concerned which carries out macro operation. 

[0091]This invention is applied between general application and OS, namely, the 
function of discontinuation of the program under the stop of installation of a program, a 
motive stop, or execution can also be given to the OS itself. By this, it will be equivalent 
to introducing antivirus software etc. separately, or the safety effect beyond it will be 
acquired. 

[00921 Drawing 10 i s an explanatory view showing typically how execution of application 
is prevented, when OS is made to possess the program execution preventing function by 
this invention. The figure shows the example interrupted when the application once 
permitted installation and starting calls during execution the file deletion function 
which is not during the above-mentioned list by presentation of the functional listing of 
camouflage. 
[0093] 

[Effect of the Invention] As explained above, the invention according to claim 1, The 
judging means which judges whether the function specified by said setting means in the 
setting means to which a user's permission specifies a required function as the 
execution, and the functional listing shown from the program is included, Since it had 
the inquiring means which asks a user whether install said program when judged with 
said specified function being included by said judging means in said functional listing, 
About the program which performs processing specified beforehand. While being 
warned to a user of the fact in advance of installation, when a user points, it is stopped 
by the installation concerned and by this. The effect that the program execution 
arrester which can prevent execution of a program dangerous for a user or a system 
beforehand is obtained is done so. 

[0094]The setting means to which the invention according to claim 2 specifies a function 
for a permission to be granted [ of a user ] as the execution, The judging means which 
judges whether the function specified by said setting means in the functional listing 
shown from the program is included, Since it had the inquiring means which asks a 
user whether start said program when judged with said specified function being 



included by said judging means in said functional listing, About the program which 
performs processing specified beforehand. While being warned to a user of the fact in 
advance of starting, when a user points, the starting concerned is stopped and the effect 
that the program execution arrester which can prevent execution of a dangerous 
program beforehand for a user or a system by this is obtained is done so. 
[0095]The setting means to which the invention according to claim 3 specifies a function 
for a permission to be granted [ of a user ] as the execution, The 1st judging means that 
judges whether the function called from the program is a function specified by said 
setting means, The 2nd judging means that judges whether it was contained in the 
functional listing shown said called function from said program when judged with said 
called function being said specified function by said 1st judging means, The inquiring 
means which asks a user whether continue execution of said program when judged with 
not having been contained in the functional listing shown said called function from said 
program by said 2nd judging means, When a function which is different from having 
been beforehand shown during execution of a program by that of ******** i s called, 
While being warned to a user of the fact, when a user points, execution of the program 
concerned is interrupted, and the effect that the program execution arrester which can 
prevent execution of the problem portion of a dangerous program beforehand for a user 
or a system by this is obtained is done so. 

[0096]The specification process to which the invention according to claim 4 specifies a 
function for a permission to be granted [ of a user ] as the execution, The determination 
process which judges whether the function specified at said specification process in the 
functional listing shown from the program is included, Since the inquiry process of 
asking a user whether install said program was included when judged with said 
specified function being included in said functional listing by said determination process, 
About the program which performs processing specified beforehand. While being 
warned to a user of the fact in advance of installation, when a user points, it is stopped 
by the installation concerned and by this. The effect that the program execution 
prevention method which can prevent execution of a program dangerous for a user or a 
system beforehand is acquired is done so. 

[0097]The specification process to which the invention according to claim 5 specifies a 
function for a permission to be granted [ of a user ] as the execution, The determination 
process which judges whether the function specified at said specification process in the 
functional listing shown from the program is included, Since the inquiry process of 
asking a user whether start said program was included when judged with said specified 
function being included in said functional listing by said determination process, About 



the program which performs processing specified beforehand. While being warned to a 
user of the fact in advance of starting, when a user points, the starting concerned is 
stopped and the effect that the program execution prevention method which can prevent 
execution of a dangerous program beforehand for a user or a system by this is acquired 
is done so. 

[0098]The specification process to which the invention according to claim 6 specifies a 
function for a permission to be granted [ of a user ] as the execution, The 1st 
determination process that judges whether the function called from the program is a 
function specified at said specification process, The 2nd determination process that 
judges whether it was contained in the functional listing shown said called function 
from said program when judged with said called function being said specified function 
by said 1st determination process, The inquiry process of asking a user whether 
continue execution of said program when it judges that it was not contained by said 
called function in the functional listing shown from said program by said 2nd 
determination process, When a function which is different from having been beforehand 
shown during execution of a program by ****** i s called, While being warned to a user 
of the fact, when a user points, execution of the program concerned is interrupted, and 
the effect that the program execution prevention method which can prevent execution of 
the problem portion of a dangerous program beforehand for a user or a system by this is 
acquired is done so. 

[0099] Since the invention according to claim 7 makes a computer perform the method of 
any one statement of said claim 4 - claim 6, The method of any one statement of said 
claim 4 - claim 6 is read by computer, is performed, and by this. The effect that a user, a 
program dangerous for a system, or the program that can prevent execution of the 
problem portion beforehand at least is acquired is done so. 

[0100]Since the invention according to claim 8 recorded said program according to claim 
7, Said program according to claim 7 is read by computer, and is executed, and the effect 
that a user, a program dangerous for a system, or the recording medium that can 
prevent execution of the problem portion beforehand at least is obtained by this is done 
so. 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 

[Drawing l] It is an explanatory view showing the hardware constitutions of the 
program execution arrester concerning an embodiment of the invention. 



[Drawing 2] It is an explanatory view showing functionally the composition of the 

program execution arrester concerning an embodiment of the invention. 

[Drawing 3] It is an explanatory view showing an example of the screen for setting up 

the details of a security policy displayed by the security policy set part 201c. 

[Drawing 4] It is an explanatory view showing an example of the dialog for checking the 

execution propriety before plug-in execution displayed by the execution propriety 

inquiry part 201d. 

[Drawing 5] It is an explanatory view showing an example of the dialog for setting up 
whether execution propriety is checked also just before starting of plug-in displayed by 
the execution propriety inquiry part 201d. 

[Drawing 6] It is an explanatory view showing an example of the dialog for checking the 
execution propriety during plug-in execution displayed by the execution propriety 
inquiry part 20 Id. 

[Drawing 7] It is a flow chart which shows the procedure of the program execution 
preventing process by the stop of installation in the program execution prevention 
system concerning an embodiment of the invention. 

[Drawing 8] It is a flow chart which shows the procedure of the program execution 
preventing process by starting stop in the program execution prevention system 
concerning an embodiment of the invention. 

[Drawing 9"| It is a flow chart which shows the procedure of the program execution 
preventing process by execution discontinuation in the program execution prevention 
system concerning an embodiment of the invention. 

[Drawing lOl When this invention is applied to OS, it is an explanatory view showing 
typically how execution of application is prevented. 
[Description of Notations] 

100 A bus or a cable 

101 CPU 

102 ROM 

103 RAM 

104 HDD 

105 HD 

106 FDD 

107 FD 

108 Display 

109 Network I/F 

110 Telecommunication cable 



111 Keyboard 

112 Mouse 

113 CD-ROM 

114 CD-ROM drive 

200a Functional listing presentation part 

200b Function call part 

201a Security management department 

201b Security policy DB 

201c Security policy set part 

201 d Execution propriety inquiry part 

20 le System-protection part 

201 f File reading part 

20 lg file deletion part 

201 h Window generation part 

20 li Text outputting part 



* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect 
the original precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



